Application programming interfaces (APIs) are a set of subroutine definitions, protocols, and tools for building application software that accesses resources available through the Internet. APIs build of the basic architecture of the World Wide Web, and are based on application of the HTTP protocol. However, certain characteristics of HTTP make APIs vulnerable to attacks from hackers.
APIs use the stateless HTTP protocol, which is a foundational element of the architecture of the World Wide Web. APIs are most often designed to be stateless, both to align with the characteristics of the HTTP protocol, and to simplify the development of high volume systems that scale by instantiating many parallel instances of a service.
This property of statelessness makes APIs particularly vulnerable to exploitation by hackers. Hackers look for weak points in the security of systems. APIs create a point of interaction with applications that may be vulnerable to hackers. Since APIs are commonly stateless, a hacker has many chances to mount attacks without detection, because each API call received by an application stands alone outside of the context of a logical flow of transactions.
A hacker can experiment with repetitive varying hacking attempts to an API endpoint to discover vulnerabilities. For example, a hacker might mount fuzzing attacks against an API endpoint, which involve sending repeated transactions containing random variations in parameters of an API request. The attack seeks to determine if a specific combination of parameters will reveal an existing system vulnerability, such as a buffer overflow vulnerability or a failure to properly authorize unexpected requests for service. SQL Injection is another example of an attack that is generally fine-tuned through repeated experimentation. Unlike fuzzing attacks, SQL Injection is executed in a more guided and active manner; however, it still exploits the statelessness of HTTP and the static nature of the API endpoint.
The basic architecture of the web is built around resources that are exposed as URL-addressable endpoints. The URL contains a protocol, internet address, an optional port, and an optional string to distinguish between different APIs on a particular computer server. Every unique API has an associated unique web URL. Different APIs, such as getStockQuote( ) and buyStock( ), will by distinguished by their different URLs. For example, the former might be accessible at the URL “http://acme.com/apis/getStockQuote”, and the later at “http://acme.com/apis/buyStock”.
An attack against the buyStock API might involve sending a large number of requests to probe the “http://acme.com/apis/buyStock” endpoint. Because the computer server is stateless, this may appear to be legitimate traffic even if it is not successfully executing a financial transaction, especially if the attack is mounted over a relatively long period of time so that it is concealed by intervening legitimate traffic. Accordingly, APIs provided by a computer server are vulnerable to many types of attacks that are carried out through API requests from hacker and other maliciously operating client computer applications.